Overview
Some USC services require a secure two-step login process. These services first prompt you to enter a USC NetID and passphrase on the Shibboleth SSO login screen, followed by a Duo authentication prompt that requires you to verify your identity before you can access USC services.
Available authentication methods
The following Duo authentication methods are available for Duo Universal Prompt, listed in descending order from most secure to least secure:
Authentication method
Description
Biometrics (Touch ID, Windows Hello, Face ID)
Duo mobile Push notification
YubiKey, D100 token, and other hardware tokens
- Setup guide: Using a security token with Duo
- Can be used offline (does not require phone service or an Internet connection)
- Disadvantage: Can be more easily lost or misplaced due to small size, and must be physically connected to your device during use
Phone call or text message
- Setup guide: Adding and removing devices in Duo
- Requires phone service, which may be a limitation when traveling out of the country
- Disadvantage: Considered the least secure method
Default authentication method order
Duo will automatically select the most secure method. Refer to the table above for the order that Duo considers when selecting the default authentication method.
You can manually select Other options if you do not prefer Duo's default selected method.
Retired authentication methods
The following methods are no longer available:
- You can no longer use the "Enter a Passcode" option with the Duo mobile app.
- You can no longer have Duo text you a list of ten bypass codes for offline use.
Using biometrics (Touch ID, Windows Hello, and Face ID)
You can use biometrics for Duo authentication on supported devices. Guides are available for the following options:
Face ID is available for iPads and iPhones.
Using Duo while abroad
If you are traveling out of the country, you can still use any of following methods for Duo authentication as long as you set them up beforehand:
- (recommended) Biometrics
- Duo mobile Push notifications (phone or Internet connection required)
- Security token
Bypass codes
If you only use phone calls or text messages for Duo authentication, the following options are available to you for use while out of the country:
- Option 1: Request a bypass code for travel
- Must be requested prior to travel, as Duo authentication is required
- The code is effective for 7 days once generated
- Option 2: Request a 1-day bypass code
- Can be requested while out of the country
- Requires authentication with a government-issued ID and a selfie
- The code is effective for up to 10 times on the day that it is generated: we recommend using it to set up biometrics or add a device with the Duo mobile app
- Option 3: Register a new Duo device
- Can be requested while out of the country
- Requires authentication with a government-issued ID and a selfie
- The code is single use, and once your device is registered, you should use the device instead of the bypass code
International travel
If you are traveling out of the country, please review this important guide from the USC Office of Cybersecurity:
Using Duo with org accounts
Org accounts using delegate access
If you use delegate access to sign into an org account, you will continue using your USC NetID and Duo authentication to sign in. Most Dornsife org accounts use delegate access to sign in.
Org accounts using direct access
If you have the org account's password and are signing in directly, the Duo authentication prompt asks you to select an authentication method. You can click the Device dropdown to filter the prompt options:
See the following setup guide for how to add authentication methods to an org account:
Additional resources
For further information, refer to the following ITS webpage:
Contributor: Brandon Chau.